Hi Horms,
On Tue, 11 Jan 2000, Horms wrote:
> > There is one big difference which must be tested (the config with
> > two eths):
> >
> > - The VIP is configured on eth0
> > - Director is talking to real servers through eth1
> > - Director is talking to the world through eth0
> > - eth1 is configured with rp_filter=0
> >
> > So, my question is:
> >
> > Horms,
> >
> > are you using 2 eth cards ?
>
> Yes, I have the real servers connected via eth1 and the
> clients talking via eth2.
>
> > If Yes,
> >
> > are you using rp_filter=1 (all/rp_filter=1, */rp_filter=1) ?
>
> I checked this out all/rp_filter=0, */rp_filter=2
Is rp_filter working when all/rp_filter=0 ? It must be 1.
>
> > If Yes, is the Directors default gw reachable through eth0 ?
>
> In this case eth2, yes.
>
> > If Yes, Please try to set eth1/rp_filter=0
>
> As this was already set I tried setting eth2 (interface to clients)
> eth2/rp_filter=1, which made no difference.
>
> > The difference is that we disable source checking for eth1 but the
> > outgoing packet is routed through eth0. This is not tested but the source
> > validation must fail in this case and the packet must be forwarded
> > successfully.
> >
> > Of course, ip_forward must be 1.
>
> Of course.
>
> > For Director with 1 eth this is not working, i.e. rp_filter can't
> > help. But this is only assumption looking in the kernel sources and it
> > must be tested.
>
> Unfortunately it doesn't seem to have helped. The VIP is an IP alias,
> I have tried putting this on both eth1 (server side interface)
> and eth2 (client side interface). Looking at tcp dumps the
> return packet is seen by the IPVS box on the server side
> but not forwarded to the clients side, so the assumption that
> the packet is being dropped for some reason appears to be correct.
It is very strange. The next thing you can test:
- all/rp_filter=1, eth1/rp_filter=0, eth2/rp_filter=1 - this is for your
security only. For the test you can set */rp_filter=0
- Is there route for 192.168.2.0/24 in Node-2 (IPVS) through eth2 ?
- Can you try with request routed through client net but coming from
outside the client net, i.e. from the world? Can Node-2 access the world?
- Are the Node-4 and Node-5 Linux 2.2 boxes? What kernel version? What LVS
version? Are they ARP patched? For 2.2.14 you can use:
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
echo 1 > /proc/sys/net/ipv4/conf/lo/hidden
I assume your VIP is on lo:ALIAS
Are you detecting with tcpdump such ARP requests:
who-has MYROUTER tell VIP
where MYROUTER is the Node-2's IP used as default gw in the real servers.
If you see such requests you have to ARP patch the real servers or to add
static ARP entry for MYROUTER in the real servers. What service you are
trying? Web?
Regards,
Julian Anastasov
----------------------------------------------------------------------
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe, e-mail: lvs-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
For additional commands, e-mail: lvs-users-help@xxxxxxxxxxxxxxxxxxxxxx
|